FHIR Chat · The `aud` parameter · smart

Stream: smart

Topic: The `aud` parameter

view this post on Zulip Lee Surprenant (Jun 16 2021 at 13:50):

One of the OAuth extensions defined in SMART App Launch is the aud parameter that clients are required to pass to the auth endpoint.
This one has always bugged me because it is possibly the only thing that prevents someone from using a "standard" OAuth 2.0 / OIDC client.

For example, it means you can't use Postman's built-in OAuth 2.0 authorization support.

Question: when this was originally discussed, did anyone consider following https://datatracker.ietf.org/doc/html/draft-tschofenig-oauth-audience-00 and making that audience request a parameter to the token endpoint as opposed to the auth endpoint?

view this post on Zulip Nathan Hall (Jun 16 2021 at 14:12):

You actually can do the Postman builtin support, you just have to add the aud to the Auth URL field like so,
{{AUTH_URL}}?aud={{AUD_URL}}

view this post on Zulip Nathan Hall (Jun 16 2021 at 14:13):

bugged me for awhile as well until i did that

view this post on Zulip Lee Surprenant (Jun 16 2021 at 14:34):

ah, that is a GREAT tip, thanks Nathan

view this post on Zulip Lee Surprenant (Jun 16 2021 at 14:36):

still curious on the question of whether that ietf draft was considered. I found that Postman supports that one now through its Advanced Options tab

view this post on Zulip Lee Surprenant (Jun 16 2021 at 14:37):

and also found https://stackoverflow.com/questions/45876960/how-to-specify-audience-for-an-oauth2-access-token which claims at least Auth0 support this as well

view this post on Zulip Lee Surprenant (Jun 16 2021 at 14:38):

it also seems like it could help with the concerns raised under https://chat.fhir.org/#narrow/stream/179170-smart/topic/Multiple.20Audiences ...or maybe not (was thinking you could authenticate once and then get tokens for different endpoints by calling token endpoint multiple times, but now I don't think it works like that)

view this post on Zulip Michele Mottini (Jun 16 2021 at 14:39):

too late

view this post on Zulip Josh Mandel (Jun 16 2021 at 20:50):

I don't think this ever came up in discussion. In practice, either approach requires adding an audience parameter to a step in the process (either the authorize step, or the token step). One advantage of attaching to the authorize step (as we do today in SMART) is that broken cases can fail fast, rather than after the user has completed an approval step

view this post on Zulip Josh Mandel (Jun 16 2021 at 20:51):

(that draft from 2013 is also... very drafty... but I'm trying to fill in details generously.)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -